Is Your Favorite Site Stealing Your CPU Cycles to Mine Monero with Coinhive?

September 26, 2017, Mike Browning

Cryptocurrency mining threats have been making waves in the affiliate advertising space, but it was recently reported that Showtime domains are running Coinhive, a JavaScript library that mines Monero cryptocurrency using the CPU resources of website visitors, likely to monetize the sessions of those watching shows on their site.

However, RiskIQ data suggest Showtime is far from the only site employing this monetization technique. Via our global proxy network, with which we collect data on web components—the servers, frameworks, Javascript libraries, and more—that appear on hosts around the world, we’ve detected 991 domains currently loading the Coinhive code.

Fig-1 A listing of domains running Coinhive in a RiskIQ Community Edition Public Project

While all these sites are using end-users CPU cycles to mine cryptocurrency, the circumstances for each could be very different. Some sites ask permission to do so, but others are leveraging their users’ machines to collect Monero without their consent, degrading their experience with slower speeds in the process. However, other sites may have no idea their sites are running the Javascript library at all. Like most third-party components on a website, Javascript can be changed and compromised without the knowledge of the site owner. Coinhive code could have found its way onto a site when public code was modified downstream.

Of course, this Monero mining technique is also an opportunity for bad actors to spin up fake, illegitimate websites to siphon money off of major brands with typosquatting domains. By leveraging domains or subdomains that appear to belong to major brands, these actors trick people into visiting their sites running the Coinhive Monero mining script to monetize their content. In the 991 domains we found, there were many examples of typo-squatting and domain infringement.

Know What’s Running on Your Web Properties

Unfortunately, Security teams lack visibility into all of the ways that they can be attacked externally, and struggle to answer the question, “where are the weaknesses in the armor?” The answer lies in understanding what belongs to your organization, how it’s connected to the rest of your asset inventory, and what potential vulnerabilities are exposed to compromise. In the case of Coinhive, it means being able to inventory all the third party code running on your web assets, and being able to detect instances of threat actors leveraging your brand on their illegitimate sites around the internet.

Currently, 92% of customers using RiskIQ Digital Footprint Enterprise had, at best, partial visibility into their internet-exposed digital assets before partnering with RiskIQ, half of which claimed to increase their insight into digital threats by at least 50% with our automated discovery and management capability.

Signing up for RiskIQ Community Edition now gives you access to one of the most popular RiskIQ products–Digital Footprint. When you sign up or sign in with your organizational email address, you get a glimpse into your organization’s attack surface.